Skip to content
Circadify Circadify Circadify

Encryption

All data handled by Circadify is encrypted both in transit and at rest.

Encryption in Transit

Section titled “Encryption in Transit”

All communication with the Circadify API is encrypted using TLS.

  • Protocol: TLS 1.3 (TLS 1.2 supported for backward compatibility)
  • Cipher suites: AES-256-GCM with ECDHE key exchange
  • HSTS: Enforced on all responses with max-age=31536000; includeSubDomains; preload
  • Security headers: Every response includes X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Content-Security-Policy: default-src 'none'; frame-ancestors 'none', and Cache-Control: no-store, no-cache, must-revalidate, private

Encryption at Rest

Section titled “Encryption at Rest”

All persistent data stores use encryption at rest:

  • Database — AES-256 encryption at rest for developer accounts, API key hashes, audit logs, and usage records.
  • Object storage — Server-side encryption for uploaded data.
  • Session store — Encryption at rest enabled for ephemeral session data (15-minute TTL).
  • Key management — Encryption keys are automatically rotated on a regular schedule.

On-Device Data Protection

Section titled “On-Device Data Protection”

Because the Circadify SDK performs rPPG analysis entirely on-device, raw biometric data (camera frames, video) is never transmitted over the network. Only derived vital sign scores and confidence metrics are sent to the API over TLS.

This architecture provides inherent data protection — sensitive biometric input is processed and discarded locally, and only non-reversible numerical results cross the network boundary.

Key & Secret Management

Section titled “Key & Secret Management”

Circadify uses distinct cryptographic approaches for different types of secrets:

  • API keys — Generated using cryptographically secure random bytes and stored as one-way hashes. Only the key prefix is retained in plaintext for identification. The full key is shown once at creation and never stored.
  • Passwords — Developer account passwords are hashed with bcrypt before storage. Raw passwords are never logged or persisted.
  • Session tokens — Generated using CSPRNG and stored as hashes with a 24-hour TTL.
  • Application secrets — API signing secrets and third-party credentials are stored in a managed secrets service with automatic rotation and short-lived caching.

Next Steps

Section titled “Next Steps”